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Reaching  the  Goal  -  Protect  the  Net 


Trusting  the  Team:  Identity  Protection  and  Management 

Defense-Wide  Information  Assurance  Program 

Identity  protection  and  management  is  at  the  heart  of  establishing  and  maintaining  a  secure  and  interoperable  infrastructure. 

We  must  be  able  to  trust  the  identity  of  information  producers,  service  providers,  and  consumers  of  the  information  and  ser¬ 
vices.  The  article  highlights  the  Department  of  Defense’s  (DoD’s) primary  initiatives  in  this  area. 


Information  superiority  is  heavily 
dependent  on  establishing  and  main¬ 
taining  a  secure  and  interoperable  infra¬ 
structure.  At  the  heart  of  it  all  is  identity 
protection  and  management.  We  must  be 
able  to  trust  the  identity  of  information 
producers,  service  providers,  and  con¬ 
sumers.  In  pursuing  these  objectives, 
many  goals  over  the  past  15  years  have 
been  achieved,  primarily  through  the 
efforts  of  three  DoD  initiatives:  Com¬ 
mon  Access  Card  (CAC),  Public  Key 
Infrastructure  (PKI),  and  biometrics. 

The  CAC  provides  the  standard  iden¬ 
tification  card  for  authorized  DoD  users 
—  the  DoD  credential  enabling  physical 
and  logical  access.  The  DoD  has  issued 
more  than  1 1  million  identity  cards 
(more  than  3.5  million  are  in  current  cir¬ 
culation).  Use  of  the  CAC  and  the  PKI 
certificates  on  the  token  eliminates  the 
need  to  use  passwords  when  authenticat¬ 
ing.  This  mitigates  a  major  problem  with 
protecting  DoD  networks  from  unau¬ 
thorized  intruders. 

In  addition  to  improving  the  security 
of  our  networks,  the  CAC,  with  its  PKI 
credentials,  is  also  accelerating  our 
migration  to  the  Web.  By  allowing  the 
use  of  digital  signatures  in  systems  like 
the  Defense  Travel  System,  labor-inten¬ 
sive  paper  processes  are  being  eliminat¬ 
ed.  The  CAC  also  provides  the  means  to 
improve  physical  access  security  at  DoD 
installations  around  the  world.  When  a 
base  or  a  theater  of  operations  imple¬ 
ments  rapid  electronic  authentication, 
hundreds  of  fake  identification  cards  are 
confiscated  every  week  and  unauthorized 
accesses  are  prevented  (more  than  a  mil¬ 
lion  in  Europe  alone  in  just  one  year). 
Our  DoD  CAC  initiative  is  one  of  the 
most  award-winning  and  successful 
smart  card  efforts  in  the  world. 

PKI  utilizes  a  combination  of  soft¬ 
ware,  encryption  technologies,  and  ser¬ 
vices  that  enable  enterprises  to  protect 
their  communications  and  business 
transactions  on  networks.  PKI  integrates 
digital  certificates,  public-key  cryptogra¬ 
phy,  and  certificate  authorities  into  a  total 
enterprise-wide  network  security  archi¬ 


tecture.  The  DoD  has  initiated  one  of 
the  largest  PKI  implementations  in  the 
world  with  more  than  20  million  certifi¬ 
cates  issued  across  the  DoD.  Since  the 
mandate  to  move  to  cryptographic  log-in 
on  our  networks,  the  DoD  reduced  suc¬ 
cessful  intrusions  into  its  networks  by  46 
percent. 

Biometrics  provide  a  measurable 
identity  factor  that  can  be  bound  to  an 
electronic  identity  for  use  during  authen¬ 
tication.  Measurable  physiological  or 
behavioral  characteristics  —  including  fin¬ 
gerprints,  iris  recognition,  voice  analysis, 
and  handwriting  dynamics  —  can  be  used 
to  validate  an  established  identity.  In 
2006,  the  Deputy  Secretary  of  Defense 
established  the  defense  research  and 
engineering  as  the  Principal  Staff 
Assistant  for  Biometrics  and  the  Army 
established  the  Biometrics  Task  Force  to 
lead,  consolidate,  and  coordinate  all  bio¬ 
metric  information  assurance  activities 
and  ensure  biometrics  technologies  are 
integrated  across  DoD.  Every  day  in  Iraq 
and  other  area  of  responsibility  sites, 
biometrics  of  visitors  and  workers  are 
being  checked  against  terrorist  watch 
lists  and  Red  Force  databases.  We  are 
detaining  people  whose  fingerprints  were 
left  behind  on  improvised  explosive 
devices  and  denying  access  to  those  indi¬ 
viduals  on  these  watch  lists. 

To  align  the  efforts  of  these  three 
program  offices  into  one  coordinated 
venture  across  the  DoD,  the  Identity 
Protection  and  Management  Senior 
Coordinating  Group  (IPMSCG)  was 
established  in  January  2004.  The  IPM¬ 
SCG  oversees  DoD  policy,  strategy,  and 
capability  implementation  and  has  devel¬ 
oped  the  DoD  Road  Map  to  Identity 
Superiority.  Also  critical  in  the  Global 
War  on  Terror  is  the  need  to  align  these 
DoD  efforts  with  similar  initiatives  with¬ 
in  the  federal  government,  law  enforce¬ 
ment  agencies,  state  and  local  govern¬ 
ments,  and  allied  coalition  forces. 

Homeland  Security  Presidential 
Directive  No.  12  <www.whitehouse. 
gov/ news  /  releases/  08/  20040827-8. 
html>  establishes  the  framework  for  a 


common  identification  standard  for  all 
federal  government  employees  and  con¬ 
tractors.  The  standards-based  credential 
will  facilitate  electronically  validated 
entry  to  federal  facilities  and  electronic 
credential-based  authentication  to  virtual 
spaces,  enabling  more  secure  informa¬ 
tion  sharing  within  the  federal  govern¬ 
ment.  To  meet  these  requirements,  the 
DoD’s  pursuit  of  next-generation  identi¬ 
ty-based  technologies,  standards,  and 
processes  must  include  such  key  ele¬ 
ments  as  the  following:  identity  proofing, 
credentialing,  directory  services,  authen¬ 
tication,  authorization,  privacy,  and  a 
tighter  link  between  the  identity  proofing 
and  credentialing  processes. 

Identity  Superiority 

As  detailed  in  the  DoD  Road  Map  to 
Identity  Superiority,  the  success  of  the 
DoD’s  approach  to  identity  management 
is  crucial  if  we  are  to  advance  to  a  broad¬ 
er,  next-generation  identity  protection 
and  management  capability  or  identity 
superiority.  Identity  superiority  will 
enable  secure ,  integrated, ,  interoperable ,  and 
scalable  information  sharing  solutions  for  peo¬ 
ple,  systems,  and  services  in  a  net-centric 
warfare  environment.  In  implementing 
the  DoD’s  approach  to  identity  superior¬ 
ity,  a  number  of  initiatives  that  take 
advantage  of  CAC,  PKI,  and  biometrics 
are  under  way: 

•  Mandated  use  of  the  CAC  to  log-on 
to  DoD  networks  decreases  the  use 
of  passwords,  significantly  decreasing 
successful  DoD  network  intrusions 
by  46  percent  and  socially  engineered 
email  attacks  by  30  percent. 

•  DoD  Interoperability  Root  Certifi¬ 
cate  Authority  is  being  established 
(—March  2007)  as  a  first  step  in 
enabling  the  DoD  to  have  the  ability 
to  successfully  interoperate  with  non- 
DoD  entities  (on  a  limited  basis). 

•  Automated  Biometric  Identification 
System  is  currently  a  repository  of 
Red  Force  biometrics  data.  This  data 
is  used  in  identifying  potential  nation¬ 
al  security  threats. 

There  is  still  significant  work  that  needs 
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to  be  done.  Achieving  identity  superiority 
requires  more  than  the  efforts  of  the  three 
program  offices.  Actions  required  to 
achieve  identity  superiority  include  align¬ 
ing  initiatives  under  way  in  each  of  the 
three  program  offices,  expanding  the 
focus  to  accommodate  the  continually 
evolving  warfighting  environment,  and 
identifying  additional  enabling  processes 
and  technologies  that  are  needed  but  not 
yet  supported.  Identity  is  key  to  being  able 
to  take  full  advantage  of  the  power  of  the 
Internet. 

With  a  well-defined  and  trusted  identi¬ 
ty  management  architecture,  the  DoD  can 
evolve  its  current  access  control  model  to 
where  consumers  with  authorized  creden¬ 
tials  can  access  information  without  hav¬ 
ing  to  pre-register  with  the  information 
provider.  For  this  evolution,  the  DoD  is 
pursuing  the  concept  of  Attribute  Based 
Access  Control;  where  policy-based,  fine¬ 
grained  access  control  processes  use  vali¬ 
dated  attributes  to  authenticate  users  and 
devices  and  make  authorization  decisions. 
Attributes  are  qualities  or  characteristics 
inherent  in  or  ascribed  to  an  identity 
(human  or  device)  such  as  mission,  func¬ 


tion,  area  of  interest,  name,  rank,  role,  cit¬ 
izenship,  location,  or  organization.  This  is 
the  new  direction  of  authorization  needed 
for  information  sharing.  It  is  the  combina¬ 
tion  of  identity,  knowing  who  you  are,  and 
information  release  —  knowing  who  can  see  a 
piece  of  information.  Authorization  is  the 
process  that  joins  these  two  pieces  of 
knowledge  together. 


The  DoD  has  long  emphasized  using 
state-of-the-art  technology  to  secure  and 
protect  its  most  vital  assets:  people,  informa¬ 
tion,  and  equipment.  Our  quest  for  identity 
protection  and  management  or  identity  supe¬ 
riority  will  continue  that  tradition  and  pro¬ 
vide  our  warfighters  and  supporting  work¬ 
force  with  the  enabling  technology  and  tools 
necessary  for  tomorrow’s  challenge s.^ 


About  Defense-Wide  Information  Assurance  Program 

This  article  was  a  combined  effort  of  several  members  of  the  Defense-Wide 
Information  Assurance  Program  (DIAP).  The  DIAP  is  within  the  Information 
Assurance  Policy  Directorate  of  the  Office  of  the  Assistant  Secretary  of  Defense  for 
Networks  and  Information  Integration  (OASD  [Nil])  DoD  Chief  Information 
Officer  (CIO)  and  is  responsible  to  the  ASD  (Nil)  DoD  CIO  for  ensuring 
Information  Assurance  (IA)  is  pursued  and  implemented  throughout  the  DoD,  as  well 
as  the  intelligence  community,  as  a  critical  operational  readiness  issue.  The  DIAP 
Office  coordinates,  integrates,  and  oversees  IA  processes  of  the  DoD  and  is  the  cen¬ 
tral  focal  point  for  organizing  and  marshalling  the  resources  to  execute  its  mission. 
The  program’s  operations  are  focused  on  linking  and  integrating  IA  management  into 
the  DoD  planning,  programming,  budgeting,  and  execution  process;  the  requirements 
generation  process,  the  acquisition  process,  and  readiness  reporting  process.  More 
information  on  the  DIAP  can  be  found  at  <www.defenselink.mil/cio-nii/infoass 
urance  /  diap  /  index.html> . 
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Thanks  to  everyone  who  participated  at  SSTC 
2007  in  Tampa  Bay,  Florida! 

Proceedings  will  be  posted  online  by  mid-July 


SSTC  continues  to  be  the  great  Department  of  Defense 
(DoD)  event  you  don't  want  to  miss 
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Watch  the  web  for  upcoming  info  and  announcement 
of  location  and  dates  for  SSTC  2008 
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